Public bug reported:
## PROBLEM ##
$ ps -p 1,2,
error: improper list
$ ps -o anything -p 1,2,
free(): invalid pointer
Signal 6 (ABRT) caught by ps (3.3.17).
ps:ps/display.c:70: please report this bug
Aborted (core dumped)
## VERSION ##
$ dpkg -l procps | grep ^ii
ii procps 2:3.3.17-6ubuntu2.1 amd64 /proc file system utilities
$ ps --version
ps from procps-ng 3.3.17
## CAUSE ##
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737347729344)
at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=140737347729344) at
./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=140737347729344, signo=signo@entry=6) at
./nptl/pthread_kill.c:89
#3 0x00007ffff7d7c476 in __GI_raise (sig=sig@entry=6) at
../sysdeps/posix/raise.c:26
#4 0x00007ffff7d627f3 in __GI_abort () at ./stdlib/abort.c:79
#5 0x00007ffff7dc3676 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7ffff7f15b77 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#6 0x00007ffff7ddacfc in malloc_printerr (str=str@entry=0x7ffff7f13744
"free(): invalid pointer") at ./malloc/malloc.c:5664
#7 0x00007ffff7ddca44 in _int_free (av=<optimized out>, p=<optimized out>,
have_lock=0) at ./malloc/malloc.c:4439
#8 0x00007ffff7ddf453 in __GI___libc_free (mem=<optimized out>) at
./malloc/malloc.c:3391
#9 0x0000555555565d07 in parse_list (arg=<optimized out>,
parse_fn=parse_fn@entry=0x5555555657f0 <parse_pid>) at ps/parser.c:222
#10 0x0000555555566d94 in parse_bsd_option () at ps/parser.c:682
#11 parse_all_options () at ps/parser.c:1122
#12 0x000055555555f38d in arg_parse (argv=0x7fffffffdd58, argc=5) at
ps/parser.c:1196
#13 main (argc=5, argv=0x7fffffffdd58) at ps/display.c:682
That's here in ps/parser.c:
parse_error:
free(buf);
free(node->u); /* <-- uninitialized memory */
free(node);
return err;
}
## FIX ##
Index: procps-3.3.17/ps/parser.c
===================================================================
--- procps-3.3.17.orig/ps/parser.c
+++ procps-3.3.17/ps/parser.c
@@ -185,6 +185,7 @@ static const char *parse_list(const char
/*** prepare to operate ***/
node = malloc(sizeof(selection_node));
node->n = 0;
+ node->u = NULL;
buf = strdup(arg);
/*** sanity check and count items ***/
need_item = 1; /* true */
## FIX IN UPSTREAM ##
$ git show f5f843e257daeceaac2504b8957e84f4bf87a8f2
commit f5f843e257daeceaac2504b8957e84f4bf87a8f2
Author: Roman Žilka <roman.zi...@gmail.com>
Date: Thu Aug 10 21:56:00 2023 +0200
ps/parser: parse_list(): int overflow for large arg, free() of
uninit. ptr
$ git describe f5f843e257daeceaac2504b8957e84f4bf87a8f2
v4.0.3-62-gf5f843e2
Patch attached.
Cheers,
Walter Doekes
OSSO B.V.
** Affects: procps (Ubuntu)
Importance: Undecided
Status: New
** Patch added: "fix-sigabrt-on-improper-list.patch"
https://bugs.launchpad.net/bugs/2077938/+attachment/5809707/+files/fix-sigabrt-on-improper-list.patch
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to procps in Ubuntu.
https://bugs.launchpad.net/bugs/2077938
Title:
ps SIGABRT with -o something -p 1,2,
Status in procps package in Ubuntu:
New
Bug description:
## PROBLEM ##
$ ps -p 1,2,
error: improper list
$ ps -o anything -p 1,2,
free(): invalid pointer
Signal 6 (ABRT) caught by ps (3.3.17).
ps:ps/display.c:70: please report this bug
Aborted (core dumped)
## VERSION ##
$ dpkg -l procps | grep ^ii
ii procps 2:3.3.17-6ubuntu2.1 amd64 /proc file system
utilities
$ ps --version
ps from procps-ng 3.3.17
## CAUSE ##
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6,
threadid=140737347729344) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=140737347729344) at
./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=140737347729344, signo=signo@entry=6) at
./nptl/pthread_kill.c:89
#3 0x00007ffff7d7c476 in __GI_raise (sig=sig@entry=6) at
../sysdeps/posix/raise.c:26
#4 0x00007ffff7d627f3 in __GI_abort () at ./stdlib/abort.c:79
#5 0x00007ffff7dc3676 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7ffff7f15b77 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#6 0x00007ffff7ddacfc in malloc_printerr (str=str@entry=0x7ffff7f13744
"free(): invalid pointer") at ./malloc/malloc.c:5664
#7 0x00007ffff7ddca44 in _int_free (av=<optimized out>, p=<optimized out>,
have_lock=0) at ./malloc/malloc.c:4439
#8 0x00007ffff7ddf453 in __GI___libc_free (mem=<optimized out>) at
./malloc/malloc.c:3391
#9 0x0000555555565d07 in parse_list (arg=<optimized out>,
parse_fn=parse_fn@entry=0x5555555657f0 <parse_pid>) at ps/parser.c:222
#10 0x0000555555566d94 in parse_bsd_option () at ps/parser.c:682
#11 parse_all_options () at ps/parser.c:1122
#12 0x000055555555f38d in arg_parse (argv=0x7fffffffdd58, argc=5) at
ps/parser.c:1196
#13 main (argc=5, argv=0x7fffffffdd58) at ps/display.c:682
That's here in ps/parser.c:
parse_error:
free(buf);
free(node->u); /* <-- uninitialized memory */
free(node);
return err;
}
## FIX ##
Index: procps-3.3.17/ps/parser.c
===================================================================
--- procps-3.3.17.orig/ps/parser.c
+++ procps-3.3.17/ps/parser.c
@@ -185,6 +185,7 @@ static const char *parse_list(const char
/*** prepare to operate ***/
node = malloc(sizeof(selection_node));
node->n = 0;
+ node->u = NULL;
buf = strdup(arg);
/*** sanity check and count items ***/
need_item = 1; /* true */
## FIX IN UPSTREAM ##
$ git show f5f843e257daeceaac2504b8957e84f4bf87a8f2
commit f5f843e257daeceaac2504b8957e84f4bf87a8f2
Author: Roman Žilka <roman.zi...@gmail.com>
Date: Thu Aug 10 21:56:00 2023 +0200
ps/parser: parse_list(): int overflow for large arg, free() of
uninit. ptr
$ git describe f5f843e257daeceaac2504b8957e84f4bf87a8f2
v4.0.3-62-gf5f843e2
Patch attached.
Cheers,
Walter Doekes
OSSO B.V.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/procps/+bug/2077938/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
